Cybercriminals increasingly target point of sales systems

Trustwave highlights the difference in data-breach activity between North America and the rest of the world

Attackers infect point-of-sale terminals with malware

Attackers infect point-of-sale terminals with malware

The data breach landscape could look very different in the future with the increased adoption of chip-enabled payment cards in North America -- but for now point-of-sale systems account for the majority of breaches there, compared to a tiny minority in other regions of the world.

Hacked point-of-sale (PoS) terminals were responsible for 65 percent of the data compromises investigated by security firm Trustwave last year in North America, compared to only 10 percent in Europe, Middle East and Africa and 11 percent in the Asia and Pacific region. Worldwide, the company investigated 574 breaches, half of them in the U.S.

The difference between PoS breach numbers in North America and other regions is largely due to a payment card standard called EMV (Europay, MasterCard, and Visa), which mandates the use of electronic chips in cards for antifraud protection. These are also called Chip-and-PIN or Chip-and-Signature cards and they have only recently started to be introduced in the U.S. and Canada.

The chip is used to authenticate the cards to EMV-capable card readers. It also makes it extremely hard for attackers to clone the cards even if they steal the data encoded on their magnetic stripes, which is known as track data.

In regions where EMV has been the de facto payment card standard for a long time -- almost a decade in Europe -- fraud has shifted from transactions where cards are physically used to transactions where cards are not present, like those performed online. As a consequence, attackers there are more likely to target e-commerce websites, from which they can extract card information that can be used to perform fraudulent transactions online.

That's not yet the case in the U.S., where card track data and PoS systems remain the primary target, according to Trustwave's 2015 Global Security Report released Tuesday.

While EMV, however, can control fraud, it does not provide complete security, said John Yeo, vice-president at Trustwave. It shifts fraud to transactions in which physical cards are not used, where cybercriminals have fewer options to extract cash. Companies should not assume that with chip-enabled cards the cardholder data is automatically safe and security should be ignored, he said.

Worldwide, compromised point-of-sale (PoS) systems were involved in 40 percent of the breaches investigated by Trustwave, compared to 33 percent in 2013. The only business assets that were even more frequently targeted by attackers last year were e-commerce applications, which accounted for 42 percent of breaches.

Retail (including e-commerce retailers), food and beverage and hospitality businesses suffered the largest number of data breaches, accounting for 68 percent of the cases investigated by Trustwave -- retail 43 percent, food and beverage 13 percent and hospitality 12 percent.

Significant differences between attackers' preference for PoS and e-commerce breaches were also observed across industry sectors, not just regions.

Sixty-four percent of breaches in the retail sector involved the compromise of e-commerce environments, 27 percent point-of-sale systems and 9 percent corporate networks. In the hospitality sector 65 percent of breaches involved PoS environments and 29 percent e-commerce, while in the food and beverages sector 95 percent were PoS and only 5 percent e-commerce.

Overall, e-commerce transaction data like personal identifiable information and cardholder data was compromised in almost half of all breaches and PoS transaction data, or track data, in a third of them. Cybercriminals also stole financial credentials in 12 percent of breaches and proprietary business data in 8 percent.

The most common methods of intrusion used in the incidents analyzed by Trustwave were insecure remote access software or policies and weak passwords. Together, these accounted for 56 percent of all compromises, the distribution being half and half.

For PoS environments in particular these two security failures were responsible for 94 percent of breaches. That's because many PoS terminals are configured for remote administration, either over the Internet or over a corporate network.

Weak input validation, which can lead to SQL and other code injections, together with unpatched vulnerabilities, were the second leading causes of compromises, accounting for 15 percent each. As expected, these were much more common for e-commerce breaches.

When it comes to corporate network compromises, the leading causes were malicious insiders and misconfigurations, accounting for a third each.

Companies are still not doing a good job at quickly identifying and containing breaches, according to Trustwave.

Affected companies identified breaches themselves in only 19 percent of cases. This is a significant decrease from last year's 29 percent.

Regulatory bodies, card brands and merchant banks were responsible for alerting businesses that they suffered a breach in 58 percent of cases. Law enforcement is also increasingly playing a role in this, notifying affected companies of 12 percent of breaches compared to 3 percent last year.

The median number of days from intrusion to detection across all incidents was 86, while from intrusion to containment it was 111. However, the numbers are very different for self-discovered breaches -- only 14.5 days from intrusion to containment. This suggests that it's considerably better for companies to have processes in place that allow them to identify breaches themselves.

The Trustwave report shows that many companies are still struggling with basic security principles like enforcing access controls, implementing strong authentication, patching known vulnerabilities or avoiding common Web coding errors that have been known since the 1990s.

It's generally accepted among security professionals that there's no such thing as 100 percent security and that if a determined and sophisticated attacker wants to get in, he'll eventually find a way. Therefore, companies should strive to make it as hard as possible for attackers to break in, to the point where compromising systems would no longer justify the investment in time and resources for the vast majority of attackers.

Unfortunately, the organizations that do get breached are still getting some of the security fundamentals quite wrong, Yeo said.

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusiontrustwavesecuritydata breachAccess control and authenticationfraud

More about TrustwaveVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts